This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
John_Colfer
Contributor
‎2018-09-07 05:15 AM

Domain Controller Redundancy

Hi

I was just wondering how domain controller redundancy works in Checpoint policy. You create LDAP Account Unit for a domain and add in your 2 ldap server objects (domain controllers).

Then on the "Objects Management" tab you can only choose 1 of these 2 servers

Today the cert on irbdc04 changed which meant ldaps queries stopped working until the fingerprint was fetched. The customer asked us, "why didnt the other domain controller take over serving authentication queries". 

So I'm wondering even though I have 2 servers defined in the ldap account unit, but only 1 defined Objects management tab does this mean that if irbdc04 is not working there is no ldap server redundancy? At what point will phdc03 take over serving requests?

Thanks in advance

John

10 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2018-09-07 05:21 AM

i would use CP Identity Collector here - see sk108235 Identity Collector - Technical Overview for details !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
_Val_
Admin
Admin
‎2018-09-07 05:28 AM
In response to G_W_Albrecht

The question is about authentication, not about Identity Awareness.

0 Kudos
JozkoMrkvicka
Authority
Authority
‎2018-09-07 09:20 AM

We had EXACTLY the same issue like you a year ago and it looks that priority does nothing in this case because LDAP is reachable, but cannot fetch anything = no issue at all for Check Point.

in case first LDAP is not reachable (telnet 636 not possible), it will go to the other LDAP in priority list.

In your case first LDAP was reachable (can you confirm ?) and thats all fine accorrding Check Point design.

Kind regards,
Jozko Mrkvicka
John_Colfer
Contributor
‎2018-09-10 07:36 AM
In response to JozkoMrkvicka

Hi Jozko

Yeah the ldap server was reachable (the server was up), but the fingerprint on the cert had changed so it could not retrieve anything. So does that mean that if the server is up and reachable it will not use the next server in the list, even though it cannot query the directory?

0 Kudos
JozkoMrkvicka
Authority
Authority
‎2018-09-10 01:35 PM
In response to John_Colfer

Yes, exactly.

Kind regards,
Jozko Mrkvicka
0 Kudos
Norbert_Bohusch
Advisor
‎2018-09-10 09:43 AM

That’s a big problem of LDAPS configuration in Check Point Account Unit, as there is no check of when certificate expires and a warning upfront. 

That’s why I prefer LDAP in this case (at least if everything is internal traffic), even though we send it in clear.

John_Colfer
Contributor
‎2018-09-12 01:49 AM
In response to Norbert_Bohusch

Thanks Norbert. I suggested this to customer but they prefer not to send usernames/passwords in the clear. Is there any other way around this? Is this issue addressed in a subsequent version?

Thanks again

John

Scott_Bily
Participant
‎2020-09-16 09:07 AM
In response to John_Colfer

Does anyone know if the fingerprint is cached for a period of time on the gateways?     Our DC's are configured to auto-renew their certificates annually.   But I don't know how much time(if any) we have after the certificates are renewed on the DC's to Fetch the new fingerprint and push policy?

0 Kudos
JozkoMrkvicka
Authority
Authority
‎2020-09-19 10:54 PM
In response to Scott_Bily

This is indeed good question, I second that.

The best would be to test it in LAB to see real world scenario. I suspect that fingerprint is not cached, it could depends how often you are downloading CRLs from DC, or what is requesting from gateway to DC.

Kind regards,
Jozko Mrkvicka
0 Kudos
Wolfgang
MVP Gold
MVP Gold
‎2020-09-20 10:56 AM
In response to JozkoMrkvicka

@Scott_Bily 

The fingerprint is not cached on the gateway. Fingerprint will be installed on the gateway if you fetched from LDAPS-server and did a policy install. Until you change the policy nothing is changed on the gateway. If the fingerprint changes on the LDAP-server you have to refectory again and install policy.

There is only one way to overcome the fingerprint problem following  LDAP failing with "SSL finger print does not match" , but with a little bit lower security.

As a security company Check Point should should solve such a small problem.

Wolfgang

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events